Method of Actively Tagging Electronic Designs and Intellectual Property Cores

ABSTRACT

In an embodiment of the invention, an active security tag is embedded within the digital logic of an electronic design for logic destined for an integrated circuit such as an FPGA. The security tag includes security tag data which permits identification of the electronic design, and facilitates efforts to enforce copyrights in the designs. The security tag also includes a transmitter designed to covertly transmit security tag data to a receiver. Other information, such as error information and status information about the integrated circuit may also be transmitted. The transmitted information is concealed from detection by being hidden within background noise signals or other signals created by normal usage of the integrated circuit.

This application is a continuation of co-pending U.S. application Ser.No. 11/852,205 filed on Sep. 7, 2007, which claims the benefit of UnitedKingdom Patent Application Serial No. GB 0617697.8, titled “Method ofActively Tagging Electronic Designs and Intellectual Property Cores”,filed Sep. 8, 2006, all of which is fully incorporated herein byreference.

FIELD OF THE INVENTION

This invention relates to the labeling and protection of electronicdesign information, particularly electronic design fragments that aresold as Intellectual Property Cores (IP Cores) to be incorporated inlarger customer designs.

BACKGROUND OF THE INVENTION

unscrupulous equipment manufacturers may abuse the intellectual propertyrights of designers by making use of their designs without permission.Examples of such illegal activity include:

-   -   1. Copying FPGA bitstream information from a competitor' product        and using it to configure the same kind of FPGA in one's own        product.    -   2. When using a design under license, making more units of the        design than the licensing agreement and fees paid would allow        (overbuilding).    -   3. Obtaining design information through fraudulent method or        through reverse engineering and making use of the design without        paying any required fees.

Design information may relate to designs which are to be implemented onField Programmable Gate Arrays or designs which are to be implementeddirectly as integrated circuits.

A problem faced by owners of such design information, seeking to policeabuse of their intellectual property rights, is that it is costly andtime consuming to determine whether a particular product does in factcontain the proprietary design fragment. In the case of silicon chipsthe only practical method is to obtain a sample of the product undersuspicion and send it to a specialist laboratory for analysis andreverse engineering. In the case of FPGA designs where the bitstream isencrypted or programmed into antifuse FPGAs, where the state of theanti-fuses is almost impossible to determine even by microscopicanalysis, the difficulty of obtaining evidence of wrongdoing is evengreater.

As well as allowing the detection of illegal use, the ability to labeldesign components will have other benefits in the area of qualityassurance and failure analysis. Modern electronic systems such aspersonal computers contain hundreds of integrated circuits from tens ofIC vendors. Each of these integrated circuit chips is likely to beimproved from time to time resulting in different versions of the chipbeing sold at different times. Some chips may be available from morethan one vendor. Some complex “System on Chip” devices may contain IPCores which themselves are updated from time to time, so differentversions of the IP may be present in different chips. The system maycontain programmable FPGA chips whose functionality can be changed bydownloading a new bitstream while the system is in the field. When FPGAchips are used the configuration of the system is not necessarily fixedat the time of manufacture.

When a system fails in the field it is important for the serviceengineer or technical support person to be able to determine the“version” of the system and key components within it which has failed.The most practical way of doing this at the present time is to “open thelid” take out the board and examine the top of the package of anysuspect chips. Chip packages are usually printed with the part numberand a code which can be used to identify the design version and date ofmanufacture. This system is not perfect because chip packages arebecoming smaller, which limits the amount of information that can beprinted. Some package materials do not lend themselves to legibleprinting. Also, marketing people would prefer to use the available spacefor company logos rather than long product identification codes. In somecases companies deliberately remove markings or ask for unmarked devicesin order to make it difficult for competitors to determine which chipshave been used in their system. At a practical level it can be difficultto decipher the markings on the top of chip packages. With programmablechips such as FPGAs the labeling on the chip package does not identifythe design which has been programmed into the chip.

The industry around licensing IP Cores is still relatively young sothere has been little work specifically on detecting the use of IP coreswithin a larger design. However, several companies offer “reverseengineering” services where they analyse integrated circuit chips todetermine the circuits which have been implemented on them. Theseservices are used for competitive analysis purposes and also to provideevidence of patent infringement. Reverse Engineering services could beused to provide evidence of improper use of an IP core within anintegrated circuit.

In the context of FPGAs “passive” techniques which use analysis ofbitstream or other design files have been proposed to detectunauthorised use of design intellectual property. In most cases analysisto detect the presence of an IP Core is based on obtaining a productcontaining the suspect FPGA. Normally there will be no access to filesfrom the CAD tools used in the FPGA design process, except the finalbitstream. In the case where the bitstream cannot be recovered becauseit is encrypted or programmed into an antifuse or FLASH based FPGAbitstream, analysis techniques would be useless. Conventional reverseengineering services which conduct an analysis of the physicalinterconnects on the integrated circuit are also of no help in the FPGAcase, because the IP core design cannot be determined by analysing themask work of the FPGA it is configured into.

In the context of ASIC chips it is common practice to include markingswithin the mask work for the top metal layers which can be read by thenaked eye or through a microscope. These markings often contain companylogos, copyright messages and revision data for the masks used tofabricate the design. Sometimes smaller copyright messages are hiddenwithin the maskwork in the hope that a pirate who copies the mask willnot notice their presence and remove them and that they can then be usedas evidence of copyright infringement.

There is, therefore, a need for a method which can produce an inventoryof the chips used in a system, including design version andmanufacturing batch information. Such a method should ideally be fast,easy to use, be able to operate without disassembling the equipmentcontaining the chips, require no new pins on the chip packages and workwith designs programmed into FPGA chips as well as designs manufactureddirectly in silicon.

SUMMARY OF THE INVENTION

In one novel aspect of an embodiment of this invention an active “tag”circuit is provided whose presence within an integrated circuit or FPGAcan easily and cost-effectively be determined. Unlike prior-art passivetags which are detected by optical inspection of integrated circuitartwork or analysis of FPGA bitstream files the active tag is anoperational circuit which creates a signal which is then detected offchip. Thus the functionality of an active tag is independent of thebitstream file format or the memory technology used to store FPGAconfiguration data and is equally applicable to conventionalnon-programmable chips.

Advantages of this method of securing intellectual property include:

-   -   1. IP core vendors do not have to undertake costly and time        consuming physical analysis of IC chips to determine if their        intellectual property has been included within them.    -   2. In the case of FPGA chips, the presence of IP cores can be        detected even when the FPGA bitstream is encrypted.    -   3. It is difficult for illegal users of IP cores to detect and        remove the tagging component.

Further objects and advantages of the invention will become apparentfrom a consideration of the drawings and ensuing description.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows the basic principle of the active tag of an embodiment ofthe invention.

FIG. 2 shows a more detailed block diagram of an active tag of anembodiment of the invention.

FIG. 3 shows an embodiment of an active tag which communicates bymodulating the power supply voltage.

DETAILED DESCRIPTION OF THE INVENTION

Turning to FIG. 1, in one novel aspect of an embodiment of the inventiona security tag design fragment 100 is disclosed, which creates a covertchannel 110 between itself and detection equipment 120 located outsidean integrated circuit 130. This integrated circuit 130, containing thesecurity tag 100, is then incorporated in a piece of electronicequipment 140. By connecting detection equipment 120 to the electronicequipment 140, (or in some cases merely positioning a sensor from thedetection equipment 120 near the electronic equipment 140) the securitytag 100 creates a covert communications channel 110 between itself andthe detection equipment 120, which allows the detection equipment 120 todetermine that the security tag 100 is present.

Although the security tag 100 is shown in FIG. 1 as being added to an IPcore 150, by the IP core vendor, a designer of a complete chip (ratherthan an IP core 150 design fragment) could also use a security tag 100on the chip 130 to protect their own intellectual property rights. Inanother scenario a vendor of Electronic CAD tools might program theirtools to add a security tag 100 to any chip created using the tools.This would allow the vendor to determine if any commercial chips hadbeen created using unlicensed or academic versions of the software.Piracy and misuse of expensive CAD tools is widespread in poorercountries which are trying to build up an electronic designinfrastructure.

Preferably the security tag 100 should have the following properties:

-   -   1. The tag should not require special silicon processing,        excessive silicon area or excessive power consumption. It is        desirable that the security tag has minimal impact on the cost        of the system.    -   2. It should be hard for a malevolent party to disable the tag.        Analogously to a tag used to protect clothing in a shop, in        order to be effective a security tag for intellectual property        should be difficult to remove or disable. One way of achieving        this is to make the tag difficult to find. As well as protecting        the tag, it is also important to protect the communication        channel between the tag and the detection equipment from        disruption.    -   3. The tag should uniquely identify the piece of IP it is        protecting. If security tags become commonplace there could be        several of them within a particular piece of electronic        equipment. Therefore it is advantageous if the tag can uniquely        identify the piece of IP it is protecting rather than just        announcing that there is a tag somewhere within the system.    -   4. Detection of the tag should be a completely reliable        indication of its presence. Since the tag is intended to provide        legal evidence of the presence of a particular piece of IP it is        important that the detection equipment is highly unlikely to        detect the tag incorrectly when it is not in fact present.

In an alternative embodiment of the invention, rather than inserting aspecial security tag 100 into the design to be protected, aspects of theactivity of the design itself which can be detected off chip are used toconfirm the design's presence. These aspects of the activity of thedesign act as a de facto security tag 100.

FIG. 2 shows a generic security tag 100. The security tag 100 containstag data 210 which uniquely identifies the product being tagged. Uniquenumbering schemes for product labeling are known in the art—for examplebar codes are widely used in industry and Radio Frequency ID (RFID) chiptags are becoming more common. Rather than create a new numbering schemefor the security tag 100 it may well be better to create tag data 210using one of these existing standards. From a physical implementationpoint of view the actual numbering scheme is not important—the tag data210 is just a binary number. For example, tag data 210 might be a 128bit integer assigned to a tag user by the company which provides thesecurity tag 100.

In an aspect of an embodiment of the invention, a connection 220, “InputData” is shown to the tag data box 210 to allow the security tag 100 totransmit status information from other circuitry on the chip as well asthe tag identification data 210.

In another novel aspect of an embodiment of the invention, this “inputdata” connection facility 220 on the security tag circuit 100 can beused to allow the chip to communicate error information to detectionequipment. Many chips in an electronic system and particularly IP coresubsystems within larger chip have no way of communicating errorinformation through their normal interface signals. Thus even if a chipor an IP core within a chip detects a fault condition it cannotcommunicate this to the larger system or to a service engineer. Thenumber of pins or the chip package is usually severely limited and thereis no reasonable standardised way to collect together error signals frommany chips at the system level. The ability to transmit errorinformation using a standard protocol through the power supply wiring ina secure form would greatly simplify failure analysis of complexelectronic systems. When this is done using the secure communicationschannel created by the IP security tag 100 the designer of the core canalso be confident that error information from its product will only beavailable to its own engineers.

The coding/modulation box 230 is responsible for taking the basicinformation to be transmitted, provided by the tag data unit 210, andcoding it up into a form more suitable for transmission. Sometransmission methods may involve modulating the coded data onto acarrier signal. The transmitter 240 is responsible for causing someeffect which can be detected off the chip and can be used to signalinformation. Many possible physical effects could be used, for example,temperature variations, voltage variations on the power supply, radiowaves or modulation of the transition times of data signals from themain operating circuitry of the chip. In general, any physical effectcaused by on chip circuitry which can be detected off chip could be usedto signal information. Subsequent sections of this application willconsider particular effects which are presently considered to bepreferred for this purpose.

The tag application 100 only requires a very small amount of informationto be communicated (less than 11 k byte) and it does not require highspeed communication (a speed of 1 Kbyte/second) would be quiteacceptable. Furthermore, the transmission range is very low (a fewcentimetres) and in some cases a direct wired connection is possible.This is a very much easier task than that faced by most wired orwireless data communications equipment—for example, cellular phones,Bluetooth, IEEE 802.11, wireless local area network or ADSL. In anembodiment, the unique constraint of the tag application 100 is that(although the receiver may be relatively complex and expensive) thetransmitter 240 must be very simple and, in the case of an FPGA use onlystandard digital logic. A second issue is that as well as normalconcerns about noise there is a possibility of a nefarious partyemploying active countermeasures to disrupt the channel between the tagand the receiver.

IP Tagging Using Power Analysis

By connecting test equipment to the power pins of an integrated circuit(or traces on the printed circuit board adjacent to the power pins) onecan measure small changes in the voltage caused by variations in thecurrent drawn by circuits on the chip. This technique has been studiedin the cryptographic literature as a “side channel” through whichinformation about cryptographic keys might “leak” from a chip such as asmartcard which carries out a cryptographic function. In thecryptographic context this is considered undesirable and considerableresearch effort has gone into ways of reducing or mitigating thiseffect.

In a presently preferred embodiment of this invention it is proposedthat a “security tag” 100 design fragment be produced which quitedeliberately modulates its power supply requirement in such a way as tocovertly transmit a distinctive signal to detection equipment 120connected to the power pins of the integrated circuit or to the powerbus in the system which contains the integrated circuit. These powerpins or power bus provide the covert communications channel 110 shown inFIG. 1. Should the external detection equipment 120 detect such a signalthen the user can be sure that a security tag 100 is present within thechip 130 and therefore that the Intellectual Property to which thesecurity tag 100 was added is also present. If the manufacturer of thechip does not have a license to use the intellectual property then thisis evidence that the intellectual property is being used illegally.

The design considerations for the timing circuit used to generate timingsignals for the security tag 100 depend to some extent on whether thetag 100 is designed for use to protect an IP core 150 or a chip levelsystem 130. If the user of the security tag 100 designs the whole chip130 then they have control of the system clock within the chip 130 andit may be reasonable to use the system clock to generate timing signalsfor the security tag 100, although there is a chance that the systemclock will be interfered with at the board level.

When the security tag 100 is added to an IP core 150, on the other hand,the system clock frequency is not directly controlled by the IP coredesigner and there is a possibility of the system clock being gated(disabled) when the IP core function is not required. Thus relying onthe system clock for correct operation of the security tag 100 is lessdesirable.

For these reasons, in a preferred embodiment timing for the IP tag 100is derived from a ring oscillator so that it is not dependent on thesystem clock frequency. This has the added benefit that the frequency atwhich the tag's signal is transmitted is under the direct control of thetag designer and is known in advance (instead of being a function of thesystem clock).

Most of the noise on the power supply lines of the chip 150 will be atthe system clock frequency (caused by the power drawn by the bufferswhich distribute the system clock throughout the chip 150), the firstfew major harmonics of the system clock frequency (since the systemclock is ideally a square wave frequency, components higher than thebase frequency must be present) and fractions of the system clockfrequency (since many data and enable signals will change at a fractionof the system clock).

The challenge facing the security tag designer is that the security tagis 100 a very small part of the overall design. Therefore, almost allsignal transitions inside the IP core 150 or chip 130 are withincircuits unrelated to the security tag 100. Each transition results innoise on the power supply lines (which are the covert channel 110 inthis embodiment). Transitions on heavily loaded signals such as externalI/O pins and clock drivers will cause much larger noise voltages thanthose on small transistors driving short range signals. Power supplynoise is considered undesirable since it affects the performance of theintegrated circuit 130 and in extreme cases can cause it to fail.Therefore it is standard practice to place capacitors to filtertransients on the power supply close to the pins of the chip 130. Withinthe chip 130 the capacitance of the power supply distribution networkalso has a filtering effect and it is becoming more common to include“designed” on chip capacitance. The challenge is to detect the signalfrom the security tag 100 in the presence of the interfering signals anddespite the attenuation from smoothing capacitors.

One way to make the signal from the security tag 100 more easilydetectable is to increase the power of the transmitter 240. This wouldinvolve creating a larger signal voltage on the power supply lineswithin the chip 130. One way of creating a signal voltage on the powersupply lines is to directly short power to ground for a short periodthrough a large pass transistor controlled by the signal. Another methodis to connect the signal to a large buffer which drives a heavycapacitive load. In the case of a security tag 100 to be incorporated ina design implemented on an FPGA it is necessary to work with the circuitprimitives offered by the FPGA chip. In some devices it is possible tocreate a “contention” condition in which several long line driversattempt to force the long line to different values—this is equivalent tothe simple circuit where power is shorted to ground through two passtransistors. Long lines have higher capacitive load and larger driversthan most signals on the FPGA and driving long lines with the signal tobe transmitted can be expected to cause larger effects to the powersupply voltage. It would also be possible to connect the signal to aglobal clock buffer or a net with high fanout.

It is desirable for the security tag 100 to operate with the smallestpossible transmit power which allows for reliable reception of thesignal. There are several reasons for this:

-   -   1. Large transients on the on-chip power supply wiring can cause        incorrect operation.    -   2. Large power consumption in the security tag is 100        undesirable and particularly high currents may lead to        reliability problems.    -   3. Large signals make the presence of the security tag 100 more        obvious.

Given that it is not feasible or desirable to simply increase thetransmit power to the point where the signal from the tag 100 dominatesnoise signals on the power supply wiring it is clear that the receiverin the detection equipment 120 faces the problem of distinguishing asmall signal from within much larger noise. This is exactly the sameproblem faced by radio receivers and approaches developed for digitalradio receivers in equipment like cellular phones can be applied to thisproblem:

-   -   1. Selection and Amplification. The amplitude of the wanted        signal will be very small—perhaps only a few microvolts. In        order to process the signal further it is necessary to amplify        it. However, the noise voltage may be a few tenths of a        volt—100,000 times larger. It is necessary to filter out as much        as possible of the noise before applying amplification,        otherwise the amplified noise voltage will saturate the        amplifier and the signal will be lost altogether.    -   2. Mixing. Mixing with a carrier frequency is commonly used in        radio communications to change the frequency band at which a        signal is present.    -   3. Coding Gain. This refers to techniques such as Code Division        Multiple Access (CDMA) which result in an apparent amplification        of the signal as a result of digital signal processing.    -   4. Frequency Hopping. This refers to a technique in which the        transmit frequency is changed from time to time according to a        pattern which is known to the receiver in the detection        equipment 120 but not unauthorised eavesdroppers or parties        trying to “jam” the transmission. Frequency hopping makes the        signal from the security tag 100 more resistant to interference        from other circuitry within the chip 130 whether malicious or a        consequence of normal operation. Frequency hopping can also        provide a means of mitigating interference from other security        tags within the system.

Previous work in the cryptographic literature on extracting informationfrom power supply variations has relied on statistical techniques suchas Differential Power Analysis to detect patterns in the data. Thesestatistical techniques can also be looked on as a form of coding gain,as noted above. In the cryptographic literature the circuitry whichcreates the information on the power supplies is not designed by theperson who wishes to receive the information—in fact the two areadversaries, the goal of the chip designer is to prevent informationleaking on the power supply.

In the case of a security tag 100 the designer of the transmit circuitry240 will wish to make the receiver's job as easy as possible. In onesimple embodiment, to allow selection and amplification the frequency atwhich the security tag 100 transmits, the frequency of the transmittedsignal is chosen to be widely separated from the frequency of potentialinterfering signals. A drawback of this approach is that it makes thepresence of the core possible to detect by an attacker using standardtest equipment such as a spectrum analyser. For this reason, in anotherembodiment the frequency of operation of the security tag signal withinthe core is chosen to lie within that of interfering signals in anattempt to “hide” the tag signal within the background noise. In thiscase more sophisticated schemes will be necessary to allow for detectionof the tag signal.

In an embodiment, the data from the security tag 100 is coded using CodeDivision Multiple Access (CDMA) techniques to produce a signal fortransmission. CDMA is a technology widely deployed in the cellular phoneindustry. CDMA has several benefits: it provides additional coding gainto separate signal from noise in the receiver, it provides a method toallow several tags to simultaneously transmit data in the same frequencyband without blocking each other's signal and it makes the signal fromthe tag appear like noise to parties other than the intended receiver.

It will be appreciated that there is a tradeoff between the complexity(and hence the cost) of the transmit and receive circuitry, thedifficulty of detecting its presence and the robustness of the channelto noise and deliberate “jamming” The best solution will depend oncommercial judgment about the sophistication of likely attackers and theacceptable cost of the tag circuit 100.

FIG. 3 shows an embodiment of a security tag 100 which uses the powersupply as a covert channel 110. Since the tag data 310 does not changein this example, instead of incorporating a coding circuit within thechip to calculate an error correcting code based on the tag data 310,the coded data 310 can be calculated in advance and the coded tag data310 is stored in the security tag 100 on the chip 130. A ring oscillator320 is used to develop a carrier frequency and clock the spreadingcircuitry 330 which “spreads” the data signal using a spreading codesuch as those used in CDMA cellular phones. Finally, the spread-spectrumsignal is connected to drive a high fan out net 340. The capacitiveloading on this net 340 ensures that each transition of the net 340 willdraw sufficient current to cause a small disturbance to the voltage onthe chip power supply rails, which form the covert channel 110. Bymeasuring the “noise” on the power supply rail outside the chip 130 andusing its knowledge of the spreading codes to collect together andseparate the signal information from the background noise the receivercircuit within the detection equipment 120 can reconstruct the originaltag signal from the security tag 100.

IP Tagging Using EMC Analysis

It is well known that modern chips operating at high clock frequenciesradiate radio signals. Normally, these radio signals are consideredundesirable and designers attempt to minimise them since they canpotentially interfere with radio communications or other circuits withinthe system. For example, the metal cases of personal computers (and manyother items of electronic equipment) are designed to act as a shield tostop these radio signals escaping. This subject is referred to asElectro-magnetic Compatibility (EMC), the undesired radio signals arethemselves referred to as Electromagnetic Interference (EMI).

These unintended emissions have been used for practical purposes before.For example, in the United Kingdom television licensing regulations areenforced by “detector vans” which patrol the streets and can detect theEMI emitted by television sets in nearby buildings. If a television isdetected in a building for which no television license has beenpurchased then officers have reason to believe that it is being operatedillegally. Another example is the use of EMI leaking from computermonitors by intelligence services to determine the information currentlybeing displayed on the screens. To prevent this espionage there is adefense standard called TEMPEST which specifies methods of ensuring thatEMI does not leak from sensitive equipment.

UK Patent 2,330,924 describes a system for enforcing software licensingin which software programs running on a PC display a particular patternon the PC's monitor. This pattern results in a characteristic EMI signalbeing transmitted which can be detected by a van in the street. The ideais that software companies could keep a database of their customer'saddresses and when a detector van discovered their program in use at anunlicensed address then they could attempt to get a court order tosearch the premises.

The voltages required to create an image on Cathode Ray Tube (CRT) basedtelevision sets and computer monitors reach several thousand volts andtherefore the level of EMI is massively greater than that in the tinylow power circuits of an individual integrated circuit. Moreover thecharacteristics of the signal corresponding to an image on a monitor arerepetitive (once per frame) and information changes relatively slowly(since it is intended to be read by a human)—both these characteristicssimplify the task of processing the received signal.

Detecting EMI from an individual integrated circuit is a much moredifficult problem than detecting EMI from a CRT display. The power ofradio signals falls off quickly with distance from the source of thesignals (the actual rate of fall off depends on the frequency of thesignals and the surrounding environment but it is at least quadraticwith distance). Thus the distance at which low power signals can bedetected is much shorter. Preferably, in this embodiment the detectionequipment 120 will include an antenna which receives the EMI signalscomprising the covert channel 110 from the security tag 100. Thisantenna within the detection equipment 120 will be held within theelectronic equipment 140 box and close to the chip 130 of interest.Increasing the range at which detection can be made is desirable andthere is a trade-off between the complexity of the security tagtransmitter 240 and receiver circuitry within the detection equipment120, and the range at which the signals can be received. If the range atwhich signals can be detected exceeds a few centimetres the method mustalso provide a means for detecting which of several chips within thepotential reception area actually contains the security tag 100. Thismay involve the use of directional antennas within the detectionequipment 120 or by the operator steadily decreasing the gain of thereceiver (and hence the reception range) as the antenna approaches thetransmitter 240.

The detection equipment 120 for detecting the radio signal from thesecurity tag is 100 very similar to that used in the power analysis casedescribed above. Instead of connecting a probe from the receiver to thepower supply within the electronic equipment 140 containing the suspectchip 130, the receiver is connected to an antenna which is held close tothe electronic equipment 140. The various techniques described above inthe power analysis case: selection and amplification, mixing, CDMAcoding and frequency hopping are all applicable to radio signaling aswell.

In an embodiment, Ultra Wide Band (UWB) radio technology is used tobuild a covert channel 110 between the security tag 100 and externaldetection equipment 120. UWB radios spread a signal over a very widefrequency band reducing the signal energy at any particular frequency sothat it falls below background noise. This makes UWB radio communicationdifficult to detect and jam. The pulse-based variant of UWB radio isattractive in a security tag context because it requires a relativelysimple transmitter.

IP Tagging Using Signal Activity Analysis

In another embodiment information is covertly communicated from asecurity tag 100 included on an integrated circuit 130 by modulating thetiming of edges on output pins by adding or removing a short delay. Theoutput pins comprise the covert communications channel 110. Thetransmitter 240 in the security tag 100 modulates the timing of edges onthe output pins (i.e. covert channel 110), to encode the security taginformation using any of the coding options discussed above. As long asthe edge still meets the setup constraints relative to the system clockthis should have no effect on the system functionality.

IP Tagging Using Thermal Analysis

Activity in an electronic circuit results in heat being generated whichin turn will raise the temperature of the chip package. In a novelembodiment a security tag 100 communicates in a covert way with anexternal detector 120 by employing the transmitter 240 to modulate itspower consumption over time, resulting in small changes to the overallheat generated by the entire design including the IP core and the tagand hence the package temperature of the chip 130 containing the tag. Adetector 120 could use an infra red sensitive camera or photodiode oranother temperature measurement technology to track the temperature onthe surface of the chip package and detect the covert signal. In thisembodiment, the chip package itself supplies the covert communicationschannel 110.

There are two main problems with this technique relative toelectromagnetic or power analysis techniques:

-   -   1. Chip temperature will change relatively slowly over time        compared with electrical signals.    -   2. The contribution of the security tag 100 must be small        relative to the overall power consumption of the chip 130.        Customers typically seek to minimize the power consumption of        their systems and may not accept a tag technology which        significantly increased overall power consumption.

It is still possible to detect a signal from the security tag 100despite these two problems but in order to separate out the tag signalfrom the much larger “background noise” generated by the other circuitson the chip a large number of temperature measurements, sequenced over arelatively long time period (perhaps several hours) will be required.This will limit the scenarios in which the thermal technique could beused.

The two main advantages of the thermal technique is that since all thatis required is to increase signal activity levels to generate heat thesecurity tag 100 can be implemented with very simple circuitry. Athermal tag would be easier to “camouflage” within a larger design than,for example, circuits designed to generate radio signals. The detectorcircuit 120 can also be very simple and low cost

Use of IP Tags for Version Control and Quality Purposes

The proposed tag technology, particularly the embodiment whichcommunicates through power supply lines, provides the ability toautomatically take an inventory of every security tag 100 within a chip130 connected to the system power bus for the electronic equipment 140.This application would require wide deployment of compliant securitytags 100 which would most likely require the security tags 100 to beadopted as an industry standard. Tags could be programmed with productversion information; manufacturing batch information could be includedin the tag using small non-volatile memories or fuses. An engineer coulddetermine a complete inventory of chips used in the system by simplyplugging an analyser into a connector on the main power supply bus. Theanalyser would decode the signals generated by the tags on the powersupply wiring to produce a list of tags that were present in the system.Alternatively, the analyser function could be built in to the systemitself. In this case when a customer called for technical support theremote engineer could obtain data on the complete configuration of thesystem without needing to visit the site where the system was installed.This option would be particularly convenient if the equipment had aninternet connection which could be accessed remotely by the serviceengineer.

The ability to rapidly and remotely determine the exact configuration ofequipment owned by a particular customer could improve the quality oftechnical support available and reduce the need to recall equipment orsend out service engineers “just in case” where a batch of chips areknown to have a defect but it is not known which customers were soldequipment containing those chips.

Most modern consumer electronics is manufactured by Original DeviceManufacturer (ODM) companies in low cost areas such as China rather thanby the “brand name” which sells the equipment. Price pressure is intenseand ODM companies are highly motivated to reduce the cost of thecomponent “bill of material”—every penny reduced from the bill ofmaterial increases their profit. Unscrupulous distributors and chipsuppliers may offer ODM's “cloned” chips (i.e. unauthorised copies ofchips from reputable semiconductor companies) or even chips which failedtest and were “rescued” from the scrap bins. Such products may causereduced reliability in the final product resulting in expense andembarrassment to the “brand name” which subcontracted the manufacturingof its products. The IP tagging scheme disclosed here would allow aconsumer electronics company to rapidly check that the products it wasreceiving from its ODM actually used the parts which it specified in thebill of materials provided to the ODM. The IP tagging scheme would alsomake it easy to determine which batches of components were causingproblems should a previously reliable product start to experiencequality problems.

In an embodiment the security tag circuits 100 communicate not onlyidentification information but are also connected to error detectioncircuits within the “tagged” IP core or chip design and can communicateerror information along with the tag identifier. The security tags 100can thus communicate error information directly to the detector circuitfrom areas of the design which would normally be inaccessible to testequipment. Preferably, the error information would be protected throughencryption or the covert properties of the communications channel 110 sothat it was only available to the company which included the tag 100 intheir design. This scheme could greatly simplify the diagnosis ofcomplex electronic systems which fail in the field. In an embodiment thedetector circuit 120 is built in to the system and error information canbe accessed by authorised engineers remotely over the interne.

As process technology improves and device feature sizes get smaller andsmaller a range of “deep sub micron” effects emerge which are likely toreduce the overall reliability and lifespan of integrated circuits.Moreover, the same trends allow more and more circuitry to be integratedon a single chip, which increases design complexity and drives the needto create designs by assembling bought-in IP cores. Programmabletechnologies such as FPGAs which allow design changes to be made afterproducts are shipped are taking over more and more of the market. Allthese factors make it harder to for a failure analysis engineer todetermine the exact version of each chip component which has been usedin a particular product. Thus, over time the need for technologies whichcan rapidly determine design version and manufacturing batch informationand communicate error information from each chip in a system willincrease

In one embodiment each security tag 100 would contain an additional areaof non-volatile memory. This memory could be programmed with acryptographic key supplied by the company which purchased the chip andassembled it into a product. This key would be used to encrypt thesignal from the security tag 100 so that only the company whichassembled the product could make use of the IP core tags. This wouldprevent competitors using the security tags 100 to obtain a list of allthe chips 130 used in the system. In another embodiment thecryptographic protocol would allow IP core vendors to detect their owntags even when this encryption was in place but not tags from othercompanies.

This application describes many embodiments and modes of use of a novel“active” method of tagging intellectual property cores and complete chipdesigns to allow detection of copyright infringement and alsoautomatically inventory the design revisions and manufacturing batchnumbers of chips within the system. The techniques are applicable toboth FPGAs and mask programmed chips. This method will protect FPGAdesigns even if the FPGA bitstream is encrypted to prevent any reverseengineering analysis. Unlike prior art techniques where tags are addedto the integrated circuit artwork and can only be detected after thechip packaging is removed, this technique is non-invasive, quick anddoes not affect the functionality of the system.

While the description above contains many specific details, these shouldnot be construed as limitations on the invention, but rather as anexemplification of preferred embodiments thereof. Many other variationswould be obvious to one skilled in the art and are intended to fallwithin the scope of this patent.

1. A method for detecting falsely labeled integrated circuits,comprising: reading tag data from a security tag, the security tagcomprising: tag data which uniquely identifies the electronic design; acommunications channel for interfacing with an external detector, todeliver the tag data to the external detector; and a transmitter fortransmitting the tag data using a tag data signal via the communicationschannel to the external detector; and comparing the tag data with aproduct marking associated with the integrated circuit.
 2. A method forenforcing electronic design tool licenses, comprising: causing anelectronic design tool to covertly insert a security tag into a userdesign, wherein the security tag comprises a digital logic circuitincluding a transmitter implemented in the user design, and wherein theuser design is implemented in an integrated circuit; and determiningwhether the security tag is present within the integrated circuit, usingan external detection circuit to read tag data transmitted from thesecurity tag by the transmitter.
 3. A method for determining designversion information on a user design programmed into an FPGA integratedcircuit, comprising: receiving the FPGA integrated circuit, wherein theFPGA integrated circuit comprises a security tag, the security tagcomprising information identifying a design and a transmitter fortransmitting the information identifying the design, wherein thetransmitter comprises a digital logic circuit implemented in the FPGAintegrated circuit; causing the transmitter to transmit the informationidentifying the design; and determining the design version by readingthe information transmitted by the transmitter, using an externaldetector.
 4. A method for reading information from an integratedcircuit, the integrated circuit comprising a security tag and a datalink connected to the integrated circuit and to the security tag, thedata link for providing the information from the integrated circuit tothe security tag, the security tag comprising a communications channelfor interfacing with an external detector, to deliver the information tothe external detector, and a transmitter for transmitting theinformation using an information signal via the communications channelto the external detector, comprising: causing the integrated circuit tobegin operating; causing the integrated circuit to deliver theinformation to the security tag over the data link; causing thetransmitter to transmit the information over the communications channelto the external detector; and reading the information using the externaldetector.
 5. The method of claim 4, wherein the information compriseserror or status information about the operation of the integratedcircuit.
 6. The method of claim 4, wherein the transmitter comprises adigital logic circuit implemented in the integrated circuit.